Quiz

Question 1

what is iptables used for

Answer 1

host based IP filtering

Question 2

the following command tells you what?

grep ^$ file1.txt | wc-l

Answer 2

There are 30 blank lines in file1.txt

Question 3

What is the expected output of the following command:

grep -v ‘^$’ message.txt

Answer 3

any line that is not a blank line in message.txt

Question 4

Right now I can’t use ‘sudo’, what file needs to be updated to allow a regular user to run commands

Answer 4

/etc/sudoers

Question 5

When working with a disk image containing an MBR, most Sleuthkit commands require information provided by what commands?

Answer 5

fdisk or mmls

Question 6

In the following command what does the ‘.’ signify?

find . -name ‘myfile.txt’

Answer 6

start in current directory

Question 7

What are the differences in systemd and BSD style init systems

Answer 7

systemd uses targets while BSD init uses runlevels

BSD runs linearly
systemd runs parallel

BSD uses text based
systemd uses binary system

Question 8

Given the below forensic image containing two NTFS partitions, what will the following command display?

mmls suspect_image.raw

Answer 8

The offsets to each file system in the image

Question 9

What is the sed command most often used for?

Answer 9

editing a stream of data, usually in ascii

Question 10

What was Bash designed to be

Answer 10

A replacement to the original UNIX Bourne shell

Question 11

In Regex, what symbol means “zero or one of the preceding characters?

Answer 11

?

• • zero, one or more
    + - one or more
    ‘' - match previous or next character/group

Question 12

What is the only linux distribution suitable for digital forensics?

Answer 12

all linux distributions can be configured to work for digital forensics, depending on the investigators needs

Question 13

What file do you need to restart a ddrescue acquisition

Answer 13

map file

Question 14

What information would you expect from the fls - Frd command

Example: fls -o 10260 -Frd able2.dd

Answer 14

-F (only files entries)
-d (deleted entries)
-r (recursive)

r/r - indicates the file type (r-regular, d-directory)
* - indicates the
file is deleted or unallocated,

Output:
r/r * 10063: var/log/xferlog.5
r/r * 10063: var/lock/makewhatis.lock
r/r * 2139: dev/ttYZ0/lrkn.tgz
d/r * 10071(realloc): dev/ttYZ0/lrk3

Question 15

The first 10 characters of ‘ls -l’ are reserved for what information?

Example:
brw-rw—-

Answer 15

File type information and read(4)/write(2)/execute(1) permissions

the object is a block device file with permissions 660

Question 16

True/False: lsblk will not show a flash based storage device because flash based devices are not recognized by the SCSI driver

Answer 16

False

Question 17

Given a data block from a file system containing interesting text, I can determine the metadata entry (MFT entry, inode, etc.) that points to that data block using what command?

Answer 17

ifind with the -d option

Question 18

What does the dd command do?

Answer 18

-can be used to restore a hard drive to a previous state, given a dd image previously collected from the same hd
-can be used to acquire disk images
-can be used to copy a file from one location to another

Question 19

What information will be displayed when you add a metadata entry number to the fls command

Answer 19

display the contents of that directory / metadata entry number

Question 20

What are the permissions for the octal value 774

Answer 20

rwxrwxr–

Question 21

What does this command output:

xxd image.dd | grep ‘aad9bcf3’

Answer 21

it will output the occurrences of ascii ‘aad9bcf3’ if it is located in xxd output

Question 22

what does the command ewfexport do

Answer 22

exports a virtual fuse mounted raw image

take an EWF file set and convert it to a bit stream image file, essentially removing the meta data and leaving us with the data in raw format, as with dd.

Question 23

What command can be used to associate multiple partitions in the image to separate loop devices

Answer 23

losetup -Pr image.raw

losetup -P maps partitions within an image to separate loop devices that can then be mounted the same as any other volume

Question 24

What command obtains a serial number from a USB flash drive

Answer 24

lsusb -v

Question 25

What does the following command output:

grep -i ‘it’ thinking.txt

Answer 25

strings containing ‘IT’, ‘it’, ‘It’

-i = case insensitive

Question 26

What is the following command doing:

dc3dd if=/dev/sda | nc 192.168.55.18 2020

Answer 26

dc3dd is imaging /dev/sda device, on the source computer, and porting over the extracted data to IP address on port 2020

the collection/receiving computer has an open nc connection on port 2020

Question 27

What is an advantage of using dc3dd over dd

Answer 27

dc3dd has logging and hashing capabilities built in

Question 28

What are the commands used to install software “from source”

Answer 28

’./configure’ command sets environment variables and enables or disables program features based on available libraries and arguments

‘make’ command compiles the program

‘install’ command moves the compiled executables

sboinstall - installs from packages

To install a Slackware package, when we are not using the slackpkg front end, we use the pkgtool command installpkg

Question 29

What will the blkcat command output

Answer 29

directly stream the contents of a data block you specify

Question 30

What command will identify a file system on a block device (/dev/sdc1)

Answer 30

file -s /dev/sdc1

Question 31

The output from what command can be piped into another command to calculate the hash, check a file type, or view contents

Answer 31

icat

Question 32

What command should be used to stream contents of data blocks associated with a particular metadata entry

Answer 32

icat

Question 33

What does the d input indicate in the following command

ifind -o 2048 -d 232989 image.raw

Answer 33

the -d input is associated with a data block / inode

a data block from the file system at offset 2048 from image.raw

Question 34

What command can be used to identify file system blocks associated with a metadata entry

Answer 34

istat

Question 35

What command will show all the lines in file file2.txt that contain the string ‘McDonald’

Answer 35

grep ‘McDonald’ file2.txt

grep -i mcdonald file2.txt

Question 36

Given the hexadecimal number “0xCCE4F8”, the commands “echo $((cce4f8)) and “echo ‘ibase=16;cce4f8’ | bc” would output what

Answer 36

an incorrect value

correct command would be

echo “ibase=16; cce4f8” | bc
echo $((0xcce4f8))

Question 37

What grep expression would match the following output:

201981131:15:46:15 log entry created

Answer 37

^[[:digit:]]{8}

Question 38

What do package managers allow a user to do?

Answer 38

Keep track of what packages are installed

they do not install optional dependencies by default

Question 39

What command will mount a split raw image file and access it as a single raw image

Answer 39

affuse

Question 40

What command will recursively list only the unallocated files of a directory with an MFT number 44 contained in image.raw with file system starting at 2048

Answer 40

fls -o 2048 -Frd image.raw 44

Question 41

What command will result in a loop device that contains only the NTFS volume at offset 59

Answer 41

losetup -o $((59*512))

Question 42

What command can be used to check to see if a disk has been wiped (with all 0’s)

Answer 42

xxd -a /dev/sdd

Question 43

What is a benefit of using a package manager compared to downloading source code

Answer 43

package manager keeps track of what has been installed

downloading from source allows for customization

Question 44

What command can be used to show kernel messages to detect devices

Answer 44

dmesg

Question 45

What is the following command doing if /dev/sdd is a 4G drive:

dc3dd if=/dev/sdd ofs=image.000 ofsz=2G log=image.log

Answer 45

a forensic image image of device with images image.000 and image.001

Question 46

What directory usually contains system binary files that are run by root

Answer 46

sbin

Question 47

What is true about md5sum and sha1sum

Answer 47

You can has data coming through netcat pipe

they can’t be used to compress files

cannot use hash value to recreate a file

Question 48

What does the -exec parameter of the find command do

Answer 48

execute the following command on every file found

Question 49

A correct fls -Dd command will accomplish what?

Answer 49

A list of deleted directories but not deleted sub-directories of deleted directories (not recursive)

Question 50

How would you unmount a volume mounted at /mnt/analysis at /dev/sdb1

Answer 50

umount /mnt/analysis or umount /dev/sdb1